On Fri, 2005-02-25 at 20:21 +0100, Dieter Maurer wrote:
Roché Compaan wrote at 2005-2-25 17:22 +0200:
Last year in March the following checkin was made that changed ZCatalog's getObject to use restrictedTraverse instead of unrestrictedTraverse. See:
http://mail.zope.org/pipermail/zope-checkins/2004-March/026846.html
In my opininion this is wrong,
I agree with you!
I'm surprised that a release with such a dramatic change didn't break tons of sites running out there. Or maybe people upgrade reluctantly.
... I would propose that getObject does an unrestrictedTraverse of the path and then checks if the user has permission to access that the object.
I argued precisely this approach with the person who made the change. I had the impression that I have convinced him -- but apparently, he did not change the code accordingly :-(
Maybe, a bug report to the collector will help?
I was reluctant to post an issue on the collector since getObject has been see-sawing on restricted- and unrestrictedTraverse for a very long time and I thought I'd post here first as a sanity check. Before Zope 2.3 it was restricted then it changed to unrestricted and now we're back to restricted again. But at the risk of somebody completely ignoring it or changing it back to restricted in Zope 2.8 I'll be off to the collector to log another issue ;-) -- Roché Compaan Upfront Systems http://www.upfrontsystems.co.za